My friend's company is trying to disable Internet access of programmer's primary development PC to improve security, while giving them another PC to connect to the Internet. He is a web programmer. I do not think this makes sense. It's going to be terribly annoying for web development. I think famous Internet companies like Google, Facebook or StackExchange would never do that. In my opinion, my friend's company should find some other way to improve security but I might be wrong.

When I read the comparison with the big internet companies, two questions sprang to my mind immediately: a) Are there reliable sources for this theory? b) Does the company in question have similar experience and resources to deal with security management?
–
Hendrik BrummermannFeb 29 '12 at 6:51

2

Another important question is: Does the threat-model categorize "a developer copies the source code onto the Internet" as threat?
–
Hendrik BrummermannFeb 29 '12 at 6:59

6 Answers
6

First of all, I'm in the camp that thinks this is a terrible idea. Security is about trade-offs, usually trading potential safety against convenience. But in a business environment it's all about costs. The cost of a potentially malicious outside influence in your source code (which is dubious at best) would have to outweigh the increase in development costs, which will be dramatic.

The cost of security failure isn't an all-or-nothing game; you can mitigate the cost of security failure by using proper vetting, backup, code review, and SCM techniques and tools. Plus, these techniques help with other issues as well, not just security problems.

The only excuse for such a policy would have to be a gross understatement of the costs it would impose and a lack of understanding regarding the alternatives. And a company with that sort of management disability is not a good long-term employment prospect.

Now, that said, I can think of one environment in which such a policy is perfectly reasonable. Specifically, many security-related companies (and government security contractors in particular) have a red-green division on all resources. The "red" side is susceptible to outside influence, while the "green" side is absolutely isolated and self-contained in every way. No cross connect, no shared systems, no shared code, no shared information.

In such an environment, "green" development would have to happen on a machine that is disconnected from the Internet. However, also in such environments, each employee/developer is expected to have two workstations, a red one and a green one, so the empoloyee would not be utterly cut off from the Internet.

Actually I think this is a terrific idea if the company is willing to spend the money on hardware and networking to set it up properly. Also a developer should probably have more than two machines, but that is another issue ;-)

If you put two network cards into the internet machine, one for the internet and the other to connect to the development machine (isolated network), then you can use a program like Mouse without Boarders to permit the developer to copy and paste data from one computer to the other. Also he/she could also copy files from one machine to the other.

Thanks for your answer. However, I wonder if any other good companies do this. They definitely are willing to spend the money for terrific idea.
–
SangdolFeb 29 '12 at 5:12

Mouse without borders requires a network connection between the computers, so it would be a no-go in this environment. Also, use Synergy instead; it the cross-platform application that mouse without borders is an unimpressive ripoff of.
–
tylerlFeb 29 '12 at 6:28

@sangdol - companies are not really ready to spend this kind of money to do this right. It would mean two networks and two PCs on every desk. One network for the internal only PCs and a second network for Internet PCs.
–
JonnyBoatsFeb 29 '12 at 12:15

A quick check confirms this is in ISO 27002, section 11.4.5, so it's certainly a legitimate information security control to put in place.

Whether it is appropriate in any specific case, of course, depends on the exact circumstances - the threat model, risk assessment, acceptable risk, cost of the measure in terms of productivity.

I don't believe either Google or Facebook routinely do this sort of segregation,though. This post by some ex-employees says that Google engineers do usually have two computers, but can do development work on both, and that Facebook engineers usually have one machine.

It sounds dubious to me, too. I wonder if it might be better to let the developer use the Internet, but firewalled (so incoming connections are blocked), and with some precautions to prevent compromise (e.g., automatic updates, use a modern browser, install Secunia PSI, maybe even run the browser or other Internet-facing programs in a VM if the company is sufficiently concerned, maybe even buy the developer a Mac so he/she isn't susceptible to Windows malware).

On the good side, at least the employer is providing a second PC for connecting to the Internet, rather than trying to pretend that it is not needed. And generally speaking, I think developers should try to work with the company as best as possible.

While it sounds like a not-unreasonable idea security wise, as a developer it would be like cutting off a hand! I frequently reference internet content for reference. A default install of Visual Studio will get all help content from online sources, I also use the MS symbol servers which AFAIK can't be installed locally.
I would allow internet access from a developers primary workstation. Via a proxy so it can be monitored. IF the company thinks the access should be restricted then I would suggest using the proxy to limit the sites that can be visited to sites relevent for the technology being used.

sledgehammer to crack a nut if you ask me. Full disclosure I'm a developer :)

There are plenty of other controls that can be put in place that would allow a development PC reasonably safe access to the internet e.g. all traffic through a web proxy that requires authentication, said proxy blocking known bad site, or those with no real business benefits (though defining that may be tricky depending on the size and type of business you are in).

Problems with developer PCs in a corporate environment tend to come from the need to install "wierd" and "wacky" tools. Trying to explain to IT why you need wireshark as a developer can be tricky, to the point that it almost becomes easier to isolate the developer PCs from the corporate network and manager their connection inbound.